[wp-trac] [WordPress Trac] #32985: Grant list_users to Editor, Author and Contributor
WordPress Trac
noreply at wordpress.org
Wed Jul 15 21:30:18 UTC 2015
#32985: Grant list_users to Editor, Author and Contributor
-----------------------------+-----------------------------
Reporter: allendav | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Role/Capability | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: needs-patch | Focuses: administration
-----------------------------+-----------------------------
Changes (by johnbillion):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
Thanks for the ticket allendav!
This opens up considerable security and privacy implications. For example,
imagine a site with authors or editors who do not know each other yet all
have the ability to publish content on the site. If they suddenly get
given the ability to browse users, they'll be able to see (at a minimum)
the email address of all other users on the site, which is a huge privacy
concern. Even information such as a user's real name can be considered
sensitive, and if a plugin is active on the site which adds even more
information to the Users list table then this information will be visible
too.
Just because a user is a trusted author or editor doesn't mean they're
trusted enough to see any sort of personal information about other users.
This is definitely something that should be kept to a plugin for sites
that need it. It could be as simple as this:
{{{
add_filter( 'user_has_cap', function( array $user_caps, array
$required_caps, array $args ) {
if ( 'list_users' === $args[0] && user_can( $args[1], 'edit_posts'
) ) {
$user_caps['list_users'] = true;
}
return $user_caps;
}, 10, 3 );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32985#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list